It surprises me when end users assume whatever message they are sending over IM/social network cannot be read by the service provider. Facebook can read your messages, Gmail can read your messages, why should Skype be any different?

The bigger question is - can your ISP snoop on those messages? Can your employer snoop on the messages if you are "skyping" at work?

Let's be honest... the US government requires backdoors in traditional telecom equipment for the purpose of wire tapping. At some point, Skype is going to get a subpoena for a wire tap (if it hasn't already). That means Skype (or MS) has probably left itself the ability to comply. This should not be a surprise...

Just imagine: "So, your job is to run some servers. They will programmatically visit any arbitrary URL that any Skype user wishes to feed them. Have a nice day, and try not to get compromised."

I rather doubt they are using some desktop browser to visit these links. They're probably using some sort of special-purpose scanning tool: not something that executes any arbitrary code it downloads and freely loads Flash and PDF files outside of a sandbox. Even a browser with no plugins and Javascript disabled is pretty safe, if you aren't inputting any information into the webpages.

I have to wonder what brave admin at MS is responsible for handling the machines that follow links in Skype traffic...

Just imagine: "So, your job is to run some servers. They will programmatically visit any arbitrary URL that any Skype user wishes to feed them. Have a nice day, and try not to get compromised."

If you issue a HTTP GET from your favorite programming language, there isn't much risk of a browser exploit working. I'm pretty damn sure MS doesn't script Internet Explorer to visit all those pages.

Presumably, if they are looking for phishing/malware/etc. they have to be running something of reasonable complexity against the payload. Just poking the server and getting a 'yup, it's here!' would indeed be fairly safe; but also entirely pointless. They have to be running some sort of AV system or something for the system to be worth operating at all.

I must have missed the part where Skype was touted as providing encrypted communication.

From their site:

Quote:

Voice messages are encrypted in the same way as Skype calls and instant messages are encrypted. However, after you have listened to a voice message, it is transferred from our servers to your local machine, where it is stored as an unencrypted file.

Skype uses the AES (Advanced Encryption Standard*), also known as Rijndael, which is used by the US Government to protect sensitive information, and Skype uses the maximum 256-bit encryption. User public keys are certified by the Skype server at login using 1536 or 2048-bit RSA certificates.

So your only proof is that someone used an IP owned by Microsoft. Guess what I use IPs owned by Microsoft too, that doesn't mean I'm an employee. Kind of like blaming Comcast

Except only Ars and someone who has access to the plaintext Skype message know the links. Since Mircrosoft controls the Skype protocol, it's much more likely Microsoft is scanning Skype IM messages for malware than that someone else has broken Skype encryption and is coincidentally also using a Microsoft address. It may not be 100% that Microsoft pinged those links, but it's pretty damn compelling.

I must have missed the part where Skype was touted as providing encrypted communication.

From their site:

Quote:

Voice messages are encrypted in the same way as Skype calls and instant messages are encrypted. However, after you have listened to a voice message, it is transferred from our servers to your local machine, where it is stored as an unencrypted file.

Skype uses the AES (Advanced Encryption Standard*), also known as Rijndael, which is used by the US Government to protect sensitive information, and Skype uses the maximum 256-bit encryption. User public keys are certified by the Skype server at login using 1536 or 2048-bit RSA certificates.

Meh. I read that as "your communication with our service is encrypted in transit," not "your communication is secure."

I have to wonder what brave admin at MS is responsible for handling the machines that follow links in Skype traffic...

Just imagine: "So, your job is to run some servers. They will programmatically visit any arbitrary URL that any Skype user wishes to feed them. Have a nice day, and try not to get compromised."

If you issue a HTTP GET from your favorite programming language, there isn't much risk of a browser exploit working. I'm pretty damn sure MS doesn't script Internet Explorer to visit all those pages.

Presumably, if they are looking for phishing/malware/etc. they have to be running something of reasonable complexity against the payload. Just poking the server and getting a 'yup, it's here!' would indeed be fairly safe; but also entirely pointless. They have to be running some sort of AV system or something for the system to be worth operating at all.

You can scan for p.a.c.k.e.r and such like obfustication techniques. You can also use, for example, the python version of jsbeautifier to unpack the code and look for common malicious patterns. An in depth scan will require actually running the code in a completely sand boxed environment.

The difference is that Skype is secure against a malicious hacker down the street. It is *not* secure against Microsoft and the Feds. For some people that's good enough. For others they'll probably have to look elsewhere. I think this is an issue that needs to be made public so people can vote with their feet.

great story nice to have some good hard evidence on this, and an easy article to point to for explaining to my acquaintances why they shouldn't use skype.

Why not? Unless you're engaged in something blatantly illegal, skype is reliable and convenient, and gives you a reasonable level of protection against adversaries attempting to sniff your communications without cooperation from Microsoft. Sounds good to me.

Edit: Don't mistake this for another one of those silly, fallacious "the innocent need not fear" arguments. Of course you should be defensive about your right to privacy. But for mundane uses it's perfectly acceptable.

I must have missed the part where Skype was touted as providing encrypted communication.

From their site:

Quote:

Voice messages are encrypted in the same way as Skype calls and instant messages are encrypted. However, after you have listened to a voice message, it is transferred from our servers to your local machine, where it is stored as an unencrypted file.

Skype uses the AES (Advanced Encryption Standard*), also known as Rijndael, which is used by the US Government to protect sensitive information, and Skype uses the maximum 256-bit encryption. User public keys are certified by the Skype server at login using 1536 or 2048-bit RSA certificates.

Meh. I read that as "your communication with our service is encrypted in transit," not "your communication is secure."

Oh. Then maybe I just misunderstood the comment, because he just said "encrypted communication".

Back when it was still peer-to-peer, it would have almost certainly had full point-to-point encryption. I don't remember if they touted as much, but that's what everyone assumed. It's one thing to let Microsoft scan your messages for spam (this is not different than having them be your email provider). It's quite another to let whatever random peer happens to be operating in super-node mode be able to read your messages. I'm not saying that Skype's security was necessarily perfect (they did operate in security-by-obscurity mode, after all), just that the security goal would have had to be to not allow super-nodes to decrypt messages.

So your only proof is that someone used an IP owned by Microsoft. Guess what I use IPs owned by Microsoft too, that doesn't mean I'm an employee. Kind of like blaming Comcast

Except only Ars and someone who has access to the plaintext Skype message know the links. Since Mircrosoft controls the Skype protocol, it's much more likely Microsoft is scanning Skype IM messages for malware than that someone else has broken Skype encryption and is coincidentally also using a Microsoft address. It may not be 100% that Microsoft pinged those links, but it's pretty damn compelling.

So your only proof is that someone used an IP owned by Microsoft. Guess what I use IPs owned by Microsoft too, that doesn't mean I'm an employee. Kind of like blaming Comcast

Except only Ars and someone who has access to the plaintext Skype message know the links. Since Mircrosoft controls the Skype protocol, it's much more likely Microsoft is scanning Skype IM messages for malware than that someone else has broken Skype encryption and is coincidentally also using a Microsoft address. It may not be 100% that Microsoft pinged those links, but it's pretty damn compelling.

Still, there's a widely held belief—even among security professionals, journalists, and human rights activists—that Skype somehow offers end-to-end encryption, meaning communications are encrypted by one user, transmitted over the wire, and then decrypted only when they reach the other party and are fully under that party's control.

I can see average users making this assumption. I don't see why any security professional or other knowledgeable person would be assuming that today. This is from almost a year ago:

Oh. Then maybe I just misunderstood the comment, because he just said "encrypted communication".

Back when it was still peer-to-peer, it would have almost certainly had full point-to-point encryption. I don't remember if they touted as much, but that's what everyone assumed. It's one thing to let Microsoft scan your messages for spam (this is not different than having them be your email provider). It's quite another to let whatever random peer happens to be operating in super-node mode be able to read your messages. I'm not saying that Skype's security was necessarily perfect (they did operate in security-by-obscurity mode, after all), just that the security goal would have had to be to not allow super-nodes to decrypt messages.

Maybe, but I never assumed that it did, even when it was p2p. Skype never made it easy to verify someone else's identity with direct key exchange, so at that point guaranteeing privacy from everybody was already pretty hopeless. Luckily we were just yelling a lot, and all the bombs we talked about planting was in Call of Duty 2 ;P

Your paraphrase is not matched by the article you linked. In fact, the article you linked explicitly states that it's unknown whether iMessage messages are encrypted end-to-end.

Yeah, even if the DEA guy wasn't just confused, there really isn't enough information in that article to explain the problem. Could be the Feds can't decrypt, but that Apple can. Remember, it is perfectly legal for the DEA to try to spy on two Columbian citizens in Columbia. But they wouldn't have a warrant to do that, so Apple wouldn't be helping them.

The subtext of that article could be "oh, we can get access to iMessage messages when we have a warrant, but we can't do the foreign covert spying that we like to do".

Oh. Then maybe I just misunderstood the comment, because he just said "encrypted communication".

Back when it was still peer-to-peer, it would have almost certainly had full point-to-point encryption. I don't remember if they touted as much, but that's what everyone assumed. It's one thing to let Microsoft scan your messages for spam (this is not different than having them be your email provider). It's quite another to let whatever random peer happens to be operating in super-node mode be able to read your messages. I'm not saying that Skype's security was necessarily perfect (they did operate in security-by-obscurity mode, after all), just that the security goal would have had to be to not allow super-nodes to decrypt messages.

Maybe, but I never assumed that it did, even when it was p2p. Skype never made it easy to verify someone else's identity with direct key exchange, so at that point guaranteeing privacy from everybody was already pretty hopeless. Luckily we were just yelling a lot, and all the bombs we talked about planting was in Call of Duty 2 ;P

Good point. It's always been an open question exactly how the Skype encryption worked. I would still tend to believe that the goal back when it was peer-to-peer was for encryption to be point-to-point. But whether they really achieved that... who knows?

EDIT: It just seems silly to imagine they didn't want to avoid MiM eavesdropping.

great story nice to have some good hard evidence on this, and an easy article to point to for explaining to my acquaintances why they shouldn't use skype.

Why not? Unless you're engaged in something blatantly illegal, skype is reliable and convenient, and gives you a reasonable level of protection against adversaries attempting to sniff your communications without cooperation from Microsoft. Sounds good to me.

Edit: Don't mistake this for another one of those silly, fallacious "the innocent need not fear" arguments. Of course you should be defensive about your right to privacy. But for mundane uses it's perfectly acceptable.

I recently needed identifying information from my nieces, including birth dates, addresses, Social Security numbers, etc. What you're saying is that it's OK to trust unidentified MS employees with that information. I disagree.

Still, there's a widely held belief—even among security professionals, journalists, and human rights activists—that Skype somehow offers end-to-end encryption, meaning communications are encrypted by one user, transmitted over the wire, and then decrypted only when they reach the other party and are fully under that party's control. This is clearly not the case if Microsoft has the ability to read URLs transmitted back and forth.

...

Specifics of the Microsoft scanning remain unclear; one possibility is that the scanning and spam-checking happen on Microsoft servers as communications pass through supernodes. Another possibility is that the Skype client on each end-user machine uses "regular expression" programming techniques built into the software and sends only the links to Microsoft servers.

I was surprised how long it took the article to point out the most likely thing happening here: That client-side logic after the message has been received and decrypted are probably transmitting URLs to Microsoft to compare against lists of known malware sites. Just as Firefox's "Phishing Protection feature" does every time you enter a URL into the address bar.

great story nice to have some good hard evidence on this, and an easy article to point to for explaining to my acquaintances why they shouldn't use skype.

Why not? Unless you're engaged in something blatantly illegal, skype is reliable and convenient, and gives you a reasonable level of protection against adversaries attempting to sniff your communications without cooperation from Microsoft. Sounds good to me.

Edit: Don't mistake this for another one of those silly, fallacious "the innocent need not fear" arguments. Of course you should be defensive about your right to privacy. But for mundane uses it's perfectly acceptable.

I recently needed identifying information from my nieces, including birth dates, addresses, Social Security numbers, etc. What you're saying is that it's OK to trust unidentified MS employees with that information. I disagree.

I think the point is that this means that Skype IMs are basically no less secure than using third-party email. Probably more secure, since it will always only goes through a single company's servers and at all other points in the chain are encrypted. If you wouldn't send something from your Gmail account to another Gmail user, then you shouldn't send it via Skype, either. But most people wouldn't be concerned sending most things Gmail user -> Gmail user.

EDIT: But I agree that it's always good to know the exact nature of the encryption. The "vote with their feet" comment above is appropriate. I just think it's also not the end of the world to find out that Skype security is no different than Gmail security.

This should serve as (yet another) warning to anyone requiring privacy: If you don't have exclusive control of the encryption keys, the security of the data is suspect and should not be trusted without exhaustive validation.